Edit: I had some angle brackets that was cutting out the rest of my description of the problem. I've edited for the complete text to show.
We placed our custom fonts under /App_Themes/[site]/fonts/ and we've found that when we are logged into the CMS, we can access the fonts via https://[domain]/App_Themes/... (which will prompt a download dialog), but once we are logged out, the same URL will redirect us to the login screen.
I've combed through the Kentico settings, but I don't see a reason why it's asking for authentication, nor how to stop it.
Essentially what's happening is that when we are logged in, we can see the font on the site, but for our public users, they are seeing the default font instead, and when we look up the network traffic, all the font requests from the CSS files are getting 302 http code (redirection to the login page).
Edit 2: IIS looks fine with anon access enabled. I don't see anything on IIS that would be causing this.
Oddly, it worked after I gave the "Everyone" user read access specifically to the fonts folder. I thought everything would go through the app pool identity, but I guess not.
Files in the /App_Themes directories are available to all users unless you've set something specifically in IIS.
Please, sign in to be able to submit a new answer.